Uncle Sam is tired of playing defense against international cyber attacks, and …

Share this story

Back in the Cold War era, the military's plans for developing the next generation of war-fighting capabilities were always a closely guarded secret; programs for developing cutting-edge bombs and missiles were highly classified, and you certainly didn't need the public's permission to invent new ways to roast the enemy. But in the Internet era, the technical realities associated with carrying out cyber warfare on a largely civilian network infrastructure dictate that if you build a massive military botnet aimed at shutting down enemy networks with distributed denial-of-service (DDoS) attacks, then you can expect that the public will find out what you're up to sooner or later. And they may not be all that happy about it.

Hence articles like the one that Col. Charles W. Williamson III recently published in the Armed Services Journal (via Slashdot), wherein he tries to make the public case for a military botnet as a prelude to actually building such a beast and placing it under the Air Force's control. Williamson's article fleshes out a number of things that have been hinted at so far in the ongoing public relations offensive that has followed the official unveiling of the new Air Force Cyber Command (AFCYBER).

First, the mere fact of the article's existence suggests that the Air Force has decided that the ability to mount DDoS attacks is a major offensive ability that our enemies already have, and they definitely intend to close the gap. Indeed, a big part of the military's AFCYBER PR blitz has involved articles and interviews with officers who talk quite openly about need for offensive capabilities, but are reluctant to spell out exactly what those are. Seeing the case for DDoS capabilities made so explicitly and forcefully serves to flesh out the picture of what those offensive capabilities would look like.

So while the article presents the military botnet idea mainly as a proposal for something that the Air Force should consider, one gets the feeling on reading it that this is more of a "speak now, or forever hold your peace" type moment for anyone in the public who objects to the idea.

Second, Williamson makes a pretty decent case for the military botnet; his points are especially strong when he describes the inevitable failure of a purely defensive posture. Williamson argues that, like every fortress down through history that has eventually fallen to a determined invader, America's cyber defenses can never be strong enough to ward off all attacks. And here, Williamson is on solid infosec ground—it's a truism in security circles that any electronic "fortress" that you build, whether it's intended to protect media files from unauthorized viewers or financial data from thieves, can eventually be breached with enough collective effort.

Given that cyber defenses are doomed to failure, Williamson argues that we need a credible cyber offensive capability to act as a deterrent against foreign attackers. I have a hard time disagreeing with this, but I'm still very uncomfortable with it, partly because it involves using civilian infrastructure for military ends.

A bigger concern centers on where the machines that will power the botnet will come from. Williamson suggests that old military computers can be repurposed as botnet drones, instead of being decommissioned. He also raises and rejects the possibility that the military would infect civilian machines with Trojans and turn them into zombies. I hope for all our sakes that the military has indeed rejected this option, but the fact that our enemies probably haven't rejected it suggests to me that the Air Force may be eyeing it as another "gap" that will need to be closed eventually.

Finally, Williamson raises the issue of the political ramifications of targeting another country's civilian network infrastructure if that infrastructure is being used to launch an attack on the US.

"The biggest challenge will be political," writes Williamson. "How does the US explain to its best friends that we had to shut down their computers? The best remedy for this is prevention. The US and its allies need to engage in a robust joint endeavor to improve net defense and intelligence to minimize this risk."

It's probably no coincidence that this week will bring news of just such an international effort to combat cyberterrorism, but we'll have more on that Wednesday.